Posted
by
Soulskillon Friday February 14, 2014 @09:47AM
from the out-of-sight-out-of-mind dept.

SpacemanukBEJY.53u writes "Alex Holden of Hold Security has come forward with a significant find: a 7,000-strong list of FTP sites run by a variety of companies, complete with login credentials. The affected companies include The New York Times and UNICEF. The hackers have uploaded malicious PHP scripts in some cases, perhaps as a launch pad for further attacks. The passwords for the FTP applications are complex and not default ones, indicating the hackers may have other malware installed on people's systems in those organizations."

Basically what happens is that you get a few passwords, fire them against some servers that you know or assume the person it belongs to has some kind of access to (people routinely reuse passwords), if you get access to some webpage, slip in some code that loads malware to infect everyone visiting the webpage, rinse and repeat.

It would be interesting to model the "spread" of this way of password gathering. I wouldn't be surprised if it would show similar patterns to the spread of a (RL) infection.

As a "pen tester"... Since FTP servers aren't often monitored as closely as higher-profile web applications, but are still often tied into a company's AD or other common credential store, they're often a great resource to use if you want to harvest some high-value credentials before you go on site. (I like to use this:http://www.filetransferconsult... [filetransf...ulting.com] for that.)

Too true. Actually it's scary how neglected a lot of "secondary resources" like FTP servers are in terms of security. You'll often find some outside pointing FTP or other "odd protocol" servers at some companies that have not been updated for ages.

The story behind those servers is usually that they were required for some project ages ago when a business partner insisted in using some "odd" protocol, they haphazardly set it up (usually done by an admin who went down a "how-to for dummies", not because he is stupid but usually because he lacks the time he'd have to invest into learning the ins and outs of the server to set it up properly), fiddled with it until it kinda-sorta worked and let them transfer whatever data they had to move. Then the server gets forgotten and is left running because "they don't cost anything","we might need it again one day and it took so long to get it running" and "they don't contain any valuable data".

Well, no valuable data besides the credentials of its users.

This works well for a line of services aside of FTP servers. The more obscure and the less widely used, the higher your chance to find some exploit for it (if you need an exploit at all because, as stated above, the admin more likely than not left out a critical security step).

I've not understood why the FTP servers at least had some sanity checks on them, if unencrypted FTP has to be used:

1: If the server is used by business "A" to feed business "B" data to their server, then business "B"'s FTP server should have TCP wrappers installed/configured, and business "A"' should consider using a static IP address for outgoing stuff. This won't help much with authentication, but passwords cannot be brute forced if the server doesn't allow connections in the first place.

"ftp" is usually synonymous with sftp these days, though of course if you use 12345 or similar as your password you might as well just tie a print out of all your important data to a dogs tail and let it run through a town centre for all the good public-private key encryption will do you.

While people take them as synonymous will think that one is as safe as the other will keep using the "wrong" one. From the article can't tell if any, most or all were plain, old, legacy ftp instead of sftp.

Just because the passwords were leaked does _not necessarily_ mean that plaintext passwords enabled it. There are multiple attack scenarios that exist that would have just as easily compromised SSH passwords.

The summary was missing a couple important words. I've added them below:

The passwords for the FTP applications, which are transmitted unencrypted because that's just how FTP is and it doesnt matter if your password is "kjasdfkljlYSU87fyue847thIP&SH&&CDFO$Wfhi7qe4h5fo78aegh4fai7oshc7o8vae4hf84" or "correct horse battery staple" because a third-grader could sniff the traffic with decade-old tools, are complex and not default ones

In case anybody thinks you are exaggerating: FTP was designed back in 1971 [ietf.org]. These companies are using a protocol with terrible security because it wasn't designed to be used on the public Internet - because the Internet wasn't even invented back then.

Anybody who seriously suggests FTP in this day and age needs to be told in no uncertain terms that this is an obsolete, pain in the arse protocol that should have died a long time ago.

Anonymous upload directory (where downloads are prohibited), and anonymous downloads (public dissemination of information). Being a lowest common denominator, your clients don't need special software to push files to the uploads directory or to download files.

But beyond that, you should be using HTTPS pages or SCP or something else...

While I don't know what's NY Times' excuse, Cpanel, which powers a lot of servers on the internet still relies heavily on FTP. And Cpanel, while primarily designed to manage shared hosting, is not limited to shared hosts only, many people choose to have it installed on their VPS or dedicated server.

For many web developers, process of deployment is still uploading via FTP, which is both insecure and inconvenient, but I see it very often.

Yes, you're probably right. When I typed in www.slashdot.org, and subsequently heard an auto advertisement coming out of my speakers, and a video playing in the lower right hand corner of the browser window, that was clearly my fault. We all know that every visitor gets the exact some advertisements. I will stop using the "Internets" as you refer to them.

why people are not using secure comms. No one should be using FTP for anything anymore except maybe internally. All Internet-facing servers and services should, by law, be forced to be encrypted. Enough of this cracking nonsense already. It's the same crap with MS and admin by default out of the box. As an IT guy, 95% of the malware out there could be stopped by not surfing the net with admin privileges. Are we all stupid? SSH, SSL, TLS, IKE, whatever you want to use, just use it already.

why people are not using secure comms. No one should be using FTP for anything anymore except maybe internally. All Internet-facing servers and services should, by law, be forced to be encrypted. Enough of this cracking nonsense already. It's the same crap with MS and admin by default out of the box. As an IT guy, 95% of the malware out there could be stopped by not surfing the net with admin privileges. Are we all stupid? SSH, SSL, TLS, IKE, whatever you want to use, just use it already.

But it's also about the only way to get files reliabily sent and received by people in companies.

People should use the tools that work. Emailing a 100Mb file to someone is horrible and breaks many mail clients. Emailing a 100Mb file to 100 someones is, well, ridiculous. Sourcing a 100Mb file to anyone who wants it is, well, a very good job for FTP.

Why not HTTP? I trust my FTP server security more than I do my web server. Not that I don't trust my web server, but one is a relatively simple tool doing something relatively simple, the other is modules this and access that and URLs that do special things

Isn't a firewall supposed to make your network safer? If the firewall prevents you from using SSH/SCP and forces you to use plain text FTP, what is the point of this firewall? I see many people using all kinds of unsafe cloud solutions to avoid NAT and firewalls. It's the wrong solution.